DNSBL with multiple physical interfaces

Started by NewMe, February 18, 2025, 11:27:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 18, 2025, 11:27:47 PM
Greetings. I would like some help setting up Unbound DNS Blocklist (DNSBL) with multiple physical interfaces.

I have a 4-port NIC and would like to utilize the "extra" ports. I have this working, but can't get DNSBL properly setup with multiple physical interfaces. DNSBL does work when I only use one interface for WAN and another for LAN. I followed both of these videos with success (just one technique or the other).

https://youtu.be/o12a2cFGopQ?si=P7tYFtYAZwS34qCM
https://youtu.be/C00L9ngsGsw?si=d8epbJ4IKOJJNRUe

DNSBL works with this configuration:
igb0: WAN
igb1: LAN
10.10.10.1/24 (1010 Home)
10.10.20.1/24 (1020 School)
10.10.30.1/24 (1030 Work)


When I add a second interface (UNSAFE on igb2), traffic on that interface doesn't seem to find a DNS server. If I add a DNS server in Services->DHCPv4->UNSAFE, then all the VLANS in UNSAFE interface can resolve domain names (thus, internet traffic), but not touched by Unbound's DNSBL. VLANS from the LAN interface continue to go through Unbound's DNSBL without any issue.

igb2: UNSAFE
10.20.10.1/24 (2010 Sarah)
10.20.20.1/24 (2020 Tom)
10.20.30.1/24 (2030 Walt)

Any suggestions for a neophyte is appreciated. Thank you.
February 18, 2025, 11:56:15 PM #1 Last Edit: February 18, 2025, 11:58:26 PM by meyergru
What is "a DNS server"? If you want Unbound to block anything, you have to direct all clients via DHCP to "your DNS server", i.e. your own Unbound instance.

If the VLANs are separated (and why would you have those if they are not?), each interface would probably have their 10.x.y.1 address being set as both gateway and DNS server. If you do not set the DNS server explicitely, the ones you use are influenced by several settings. You can end up using your ISP's DNS servers or others.

Also, bear in mind that most browsers circumvent local DNS by using DoT or DoH per default these days, so be wary what you test.

P.S.: The way you describe it, IDK if your VLANs are really VLANs or just subnets on the same physical interface. Usually, you would end up having a logical interface for each VLAN, not just two (LAN and UNSAFE).
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 19, 2025, 01:19:58 AM #2
Quote from: meyergru on February 18, 2025, 11:56:15 PMWhat is "a DNS server"? If you want Unbound to block anything, you have to direct all clients via DHCP to "your DNS server", i.e. your own Unbound instance.

If the VLANs are separated (and why would you have those if they are not?), each interface would probably have their 10.x.y.1 address being set as both gateway and DNS server. If you do not set the DNS server explicitely, the ones you use are influenced by several settings. You can end up using your ISP's DNS servers or others.

Also, bear in mind that most browsers circumvent local DNS by using DoT or DoH per default these days, so be wary what you test.

P.S.: The way you describe it, IDK if your VLANs are really VLANs or just subnets on the same physical interface. Usually, you would end up having a logical interface for each VLAN, not just two (LAN and UNSAFE).

Thank you for your reply, @meyergru.

I have removed all VLANs to simplify the setup for now. DNS Server is not specified in System->Settings->General nor Services->ISC DHCPv4->LAN and Services->ISC DHCPv4->UNSAFE. In this case, clients on the LAN network go through my ISP's DNS server. Clients on UNSAFE network cannot resolve websites unless I specify a DNS server (Cloudflare, Quad9, etc...) in Services->ISC DHCPv4->UNSAFE.

I'm using Firefox, and DoH is set to OFF DoT is not set.
February 19, 2025, 10:05:42 AM #3
You could first find out if the clients on your UNSAFE network get a DNS server address via DHCP and then test if you can resolve addresses via that IP ("nslookup www.google.com a.b.c.d") or if you can ping it.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 20, 2025, 02:09:26 AM #4
On LAN:
    "nmcli dev list iface eno1 | grep IP4" points my IP4.DNS[1] to my OPNSense instance's IP.

On UNSAFE:
    Linux:
      "nmcli dev list iface eno1 | grep IP4" points DNS to UNSAFE's subnet 10.20.0.1
      can't ping - name does not resolve
      nslookup - timed out

    Win10:
      "ipconfig /all" also points DNS to UNSAFE'S subnet 10.20.0.1
      can't ping - name does not resolve
      nslookup - timed out
February 20, 2025, 10:00:49 AM #5 Last Edit: February 20, 2025, 10:02:47 AM by meyergru
Quote from: NewMe on February 20, 2025, 02:09:26 AMOn UNSAFE:
    Linux:
      "nmcli dev list iface eno1 | grep IP4" points DNS to UNSAFE's subnet 10.20.0.1
      can't ping - name does not resolve
      nslookup - timed out

    Win10:
      "ipconfig /all" also points DNS to UNSAFE'S subnet 10.20.0.1
      can't ping - name does not resolve
      nslookup - timed out


Nope:

Quote from: NewMe on February 18, 2025, 11:27:47 PMigb2: UNSAFE
10.20.10.1/24 (2010 Sarah)
10.20.20.1/24 (2020 Tom)
10.20.30.1/24 (2030 Walt)

There is no "approximately" in networking, whatsoever. ;-)
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 20, 2025, 03:21:18 PM #6
Those VLANs currently don't exist...just LAN, and UNSAFE interfaces and their corresponding subnets.

Quote from: NewMe on February 19, 2025, 01:19:58 AMI have removed all VLANs to simplify the setup for now.
February 20, 2025, 03:32:15 PM #7
Can you ping 10.20.0.1 from UNSAFE clients?

- If not, look at routing and/or firewall rules.
- If yes and nslookup times out, try again with "nslookup www.google.com 10.20.0.1" to verify you are using the correct server.
- If that does not work and routing and firewall do not keep you from accessing the DNS server: Did you bind Unbound to "All Interfaces", i.e.: selected no single interface?

Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 20, 2025, 05:01:14 PM #8 Last Edit: February 20, 2025, 05:49:41 PM by NewMe
I can't ping 10.20.0.1 from UNSAFE clients.

I don't have any routing setup (if you mean System->Routes). Firewall rules block UNSAFE to "This Firewall" and allow internet access:
    x    IPv4    UNSAFE net    *    This Firewall    *    *    *
    >    IPv4    UNSAFE net    *    *                *    *    *
I have tried enable/disable:
    >    IPv4 TCP/UDP    UNSAFE net    *    172.0.0.1    53 (DNS)    *    *

"All" network interfaces are specified in Unbound as this was the default/recommended.

Additional info--

The following settings are checked:
    Services->Unbound DNS->General
            Enable Unbound
            Enable DNSSEC Support
            Register ISC DHCP4 Leases
            Register DHCP Static Mappings
    Services->Unbound DNS->Advanced   
            Hide Identity
            Hide Version
            Prefetch DNS Key Support
            Harden DNSSEC Dataa
            Strict QNAME Minimisation
February 20, 2025, 06:33:40 PM #9
And there you have it:
Quote from: NewMe on February 20, 2025, 05:01:14 PMFirewall rules block UNSAFE to "This Firewall" and allow internet access:

How do you expect that UNSAFE clients should be able to ping or access DNS (port 53) on 10.20.0.1 - which presumably is "This Firewall" with that blocking rule on top of the list?
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 20, 2025, 08:25:46 PM #10
YAY!!! This is working by removing that rule.

My only excuse is that I'm an OPNSense noob. Trying to be security conscious, I'm trying to protect the fw as much as possible. I already have System->Settings->Administration to only allow LAN as the listen interface. At some point, I thought that blocking rule would be an added layer. It's just my misunderstanding of how that works.

Thank you very much for solving this for me. I appreciate your help!
Print
Go Up Pages1
User actions